Privacy Law and Policy Reporter
The Commonwealth Joint Standing Committee of Public Accounts and Audit reported in June 1998 following a lengthy inquiry into internet commerce and its implications for taxation, customs, growth of small and medium sized enterprises, and consumer protection and privacy. These extracts relate to the privacy terms of reference. The entire report is available in .pdf format on the Internet at: http://www.aph.gov.au/house/committee/jpaa/elecom/report/index.htm.
Nigel Waters, Associate Editor
1.17 Consumers value privacy and may be reluctant to participate in internet commerce if adequate security and privacy is not provided. Yet the internet enables the storage and retrieval of a wide range of information about individual spending patterns. Australia and other countries are seeking to address these issues by ensuring that privacy will be protected. Australia is currently developing a self-regulatory privacy regime for the private sector. In contrast, the European Union (EU) prefers a legislated approach and is seeking reciprocity from other countries. A key objective for the Committee is to assess the effectiveness of Australia’s self regulatory privacy approach and contrast it with the EU’s strategy. Consumer protection and privacy issues are discussed in Chapter 7.
7.59 Consumer protection and privacy are threshold issues for the successful development of internet commerce. Internet commerce does present a range of new challenges in achieving adequate consumer protection and privacy. Linked with these matters is the need to ensure effective levels of security and authentication.
7.60 Consumer protection is complicated by the international dimension of internet commerce. Domestic consumer protection laws will have no power in cases where suppliers are located in other countries. At the same time, the opportunity for consumers to seek redress through other countries’ legal processes is limited. Therefore, international cooperation and agreement will be required.
7.61 The Committee notes the participation of the Australian Competition and Consumer Commission in international ‘sweep days’ in which a range of international law enforcement agencies search for corrupt and fraudulent activities on the world wide web. The Committee supports this type of activity, and also the development of international industry codes of conduct. It is in the interest of business, both domestically and internationally, to raise consumer confidence by providing adequate levels of consumer protection.
7.62 A key requirement in achieving consumer protection and privacy is the achievement of secure transactions. The internet is an open system and security of transactions is not assured. A solution to this is the use of encryption technology. For internet commerce to flourish, encryption technology must be readily available. Therefore, the Committee rejects any restrictions on the use of encryption technology. In arriving at this conclusion, the Committee notes the competing needs of various government agencies. The Committee, in particular, rejects the use of a ‘key escrow’ system in which government agencies could gain access to the encryption keys provided by trusted third parties.
7.63 The Australian Government is moving to introduce a self-regulatory privacy regime for the private sector. Some groups, in evidence to the inquiry, rejected this strategy and called for the government to legislate on this matter. These groups point out that other countries such as New Zealand, Hong Kong, Taiwan, South Korea, Malaysia, Singapore and countries of the European Union (EU) are introducing legislation to regulate the private sector. The Australian Privacy Charter Council (APCC) claims that the laws of the EU will restrict the transfer of personal data to countries without adequate privacy protection. The APCC claimed that Australia’s self-regulatory approach would not satisfy the EU with serious consequences for international trade.
7.64 The National Australia Bank (NAB) also rejected a self-regulatory privacy regime and called for the government to legislate as the most effective means of ensuring efficiency and effectiveness. The Australian Bankers’ Association supported a self-regulatory privacy regime.
7.65 The Committee took particular note of the arguments for and against a self-regulatory privacy regime. The Committee concludes that a legislated privacy regime will be more effective than a self-regulatory approach. Privacy legislation for the private sector will ensure better coverage, receive international recognition, and will discourage state governments from passing their own legislation.
7.66 The Committee does not take this position lightly. Internet commerce must be left to develop in an environment in which private sector firms respond to market forces. The role of government should be minimal and directed at providing certainty for both consumers and business through a light touch regulatory regime. In particular, the Committee accepts self-regulatory approaches wherever possible. These are principles which the Committee supports and which have been consistent themes throughout this report. At the same time, these principles need to be applied on a case by case basis with each issue being subject to policy and administrative analysis. In the case of privacy, there is overwhelming evidence for legislation.
7.67 First, the Committee is not persuaded that a self-regulatory privacy regime will have sufficient enforcement provisions to ensure compliance. Mr Ira Magaziner, Senior Advisor on Policy Development to President Clinton, commented that governments would be wasting their time trying to legislate because they could not enforce their laws.
7.68 Magaziner argues that market forces, in which consumers exercise choice, will ensure compliance. Companies complying with industry codes would be permitted to display a seal or symbol on their website to show that they were abiding by privacy principles. In response to this, the Committee agrees that legislation will not ensure full compliance. There will always be groups that seek to gain from acting outside the law. However, with Magaziner’s proposal there will be even more room for business to act outside the guidelines.
7.69 In a legislated privacy regime, companies ignoring the legislation would be acting illegally and their business credibility could be destroyed if they were revealed. Under a self-regulatory approach, there is no legal incentive for a company to comply, and it is problematic that consumer confidence would be adversely affected if it was shown that a company was not complying with privacy principles. A self-regulatory approach requires that all consumers be adequately informed and able to make rational economic decisions. Unfortunately this is not the case and, therefore, it is possible that companies ignoring self-regulatory privacy codes could continue to operate.
7.70 A second issue is the importance of consumer confidence in ensuring the growth of internet commerce. Internet users must have reasonable confidence that their privacy is protected. The Committee believes that privacy legislation, particularly in the short term, will be more effective than self-regulation in raising consumer confidence. This is based on some of the comments raised in the previous paragraphs regarding levels of consumer knowledge and information.
7.71 Third, there is not sufficient evidence showing that business supports a self-regulatory approach. For example, the Price Waterhouse Privacy Survey revealed that, of those businesses surveyed, 70 per cent supported legislation. In evidence to the inquiry, the National Australia Bank supported the introduction of legislation. The Committee is aware that the Victorian Government prefers the introduction of privacy legislation. In addition, the Victorian Government would prefer the Commonwealth Government to introduce overarching privacy legislation. If the Commonwealth continues with its preference for a self-regulatory privacy regime then the Committee believes that Victoria will legislate. In this event, New South Wales and other states would probably follow.
7.72 If the States pass their own privacy legislation then the Federal Government’s self-regulatory privacy regime will be made redundant. The private sector would have a clear incentive to comply with a State legislated privacy regime and will ignore the Federal Government’s self-regulatory approach. Under this scenario, the Federal Government would eventually be forced to legislate. During this chain of events, national corporations may have to comply with privacy legislation from a number of individual states which could introduce confusion and significantly add to compliance costs.
7.73 The Committee notes that the US supports a self-regulatory approach to privacy. This was confirmed by Mr Ira Magaziner, Senior Advisor on Policy Development to President Clinton, at the ‘Enabling Australia’ conference on 16 April 1998 in Canberra. President Clinton, through the Framework document, stated that ‘we will re-evaluate this policy’ if privacy concerns are not addressed by industry. This can be interpreted in a number of ways and does not automatically mean that the US will legislate. However, if the US did choose this path 12 months down the track then Australia would be seriously isolated with its policy choice.
7.74 Finally, the Committee does not accept that a legislated scheme, in contrast to self-regulation, will create more compliance costs for business. At the same time, it is not expected that there will be a significant increase in government expenditure. The ACCC, for example, could monitor compliance with privacy legislation as part of its overall responsibility to administer the Trade Practices Act. For these reasons, the Committee recommends that the Government develop privacy legislation for the private sector.
7.75 Recommendation 17
That the Australian Government introduce privacy legislation, with specific reference to information communications, to govern the use of personal information in the private sector.